SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Schorg

    Schorg Guest

    I have been experimenting with Excubits MemProtect and SpyShelter Firewall for sometime and had no issues and very light together.

    I must point out this is on my test PC.
     
    Last edited by a moderator: Oct 23, 2016
  2. Poppey

    Poppey Registered Member

    Joined:
    Nov 23, 2015
    Posts:
    36
    Location:
    Germany
    Yes, that helps. But also works for two day with enable Action 33. I try to rollback my system before I get the popups. But Windows 10 says after reboot, that it can not rollback, but than I don't have the popups. When I restart Windows, I have again the popup with Action 33.
     
  3. Schorg

    Schorg Guest

    Strange?

    I disable(untick) "Enable showing tooltips for blocking network hook actions". Because of MBAE as this is the reason for SpyShelter giving the action 33 popups.

    Maybe recently installed program which is causing the popups?

    Disabling the tooltips is not a problem, its just a notification of blocking network hooks.
     
    Last edited by a moderator: Oct 23, 2016
  4. Poppey

    Poppey Registered Member

    Joined:
    Nov 23, 2015
    Posts:
    36
    Location:
    Germany
    Now I have untick Action 33. I don't know why this popup is every 5 seconds when I use Opera. But by chance I have found the solution why all the addons in Opera for the youtube page doesn't work when I locked in with my Google account.
    There is in the left lower corner on the youtube page (when I locked in with my Google account) a symbol with a little running man. When you press on it, youtube ask you if you want the old layout. I press yes and now everything is ok, all my addons work and the background is black and not white. If had found this one day earlier I would save so much time and I hadn't the action 33 popup :)
     
  5. Schorg

    Schorg Guest

    Well done, glad you have resolved your issue:thumb:
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    Well, the more I think about it, the more it annoys me. HIPS should always be able to alert about and to block suspicious behavior. Especially when it comes to code injection and process hollowing which is being used by the most advanced malware. Also, in most cases you simply want to block certain app behavior without having to terminate the process.

    Yes, it also has got a lot of positive things, but other tools do protect against process memory manipulation, so there is no excuse. I will probably continue to use it, simply because I don't like the alternatives. I don't see myself switching to Comodo, but perhaps I should give HMPA another try.

    Yes correct, AG and MemProtect are no options for me, and they also don't alert about code injection, they auto-block. The whole point of HIPS is to alert you about suspicious behavior, because it will give you clues about whether some app might have malicious intentions.
     
  7. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
    So I have been playing around with the custom file scanners features of SpyShelter, look what I found :)

    http://i.imgur.com/CbZEixy.png

    All you really need is to install the Virus Total Uploader (https://www.virustotal.com/static/bin/vtuploader2.2.exe) and add the line to SpyShelter custom scanner configuration:

    "C:\Program Files (x86)\VirusTotalUploader2\VirusTotalUploader2.2.exe" {FILEPATH}

    And VT is back :) Although I got used to Jotti already, this is really neat that we can get to use VT.
     
    Last edited: Oct 28, 2016
  8. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    i don't think so allowing disable built in registry protection be a good idea
    however it has a bug
    if you allow first built in registry protection the second one will be allowed automatic
    which is not good
    this happen with new custom protected key
    if you allow built in protected key your custom protected key will be allowed automatic also which is not good at all.
    i reported it;)
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    BTW, SS performed pretty good against Matousec Leak-tests for Win 64 bit, I wonder if those tests didn't use code injection? I think this is very unlikely, too bad that Matousec and MRG Effitas are not testing SS anymore.

    http://www.matousec.com/projects/proactive-security-challenge-64/results.php

    I believe it should be possible to control this for more experienced users. In my view, it doesn't make sense to alert about certain keys.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Hmmm...whatever not to talk about those tests I've thought it's worth of checking how the matter actually looks. So I've found:
    - tested version - 9.2...more than 2 years ago...and its overall score is 89% in PSC 64

    SS passed
    SS passed
    SS passed
    both passed (CopyCat - is not a process hollowing?)
    all passed
    all passed
    all passed
    both passed
    both passed

    Hmmm...and now I don't know what to think...results are clear and abvoius...can we say something against?
     
    Last edited: Nov 2, 2016
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    Thanks for looking into this. But that's why I think it's weird that SS seems to fail against a simple tool like RemoteDLL. Did you also test this tool? And I don't believe that any of the Matousec leak-tests used process hollowing. Also, I've tested SS against certain leak-tests on Win 8.1, and it failed.

    http://securityxploded.com/remotedll.php
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    BTW, besides giving an option to protect certain reg-keys on demand, they could have added a feature similar to Outpost's Application Guard, see link. It's this kind of innovation that I'm missing. I also assume that SS protects all keys that are monitored by AutoRuns, but we will never know since the list is not available.

    http://www.agnitum.com/support/kb/article.php?id=1000283&
    http://filehippo.com/download_autoruns/
     
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    i long time ago running Outpost.thats the one way for protection
    about autoruns,you can set to ask user mode then you can find which keys protected by tick and untick and deny :)
    not all of them monitored as i see.
    but there is 3 type registry protection as i see with autoruns,it seems
    if allow one key under one Category all other keys under same Category auto allowed.
    Category: Autorun
    Category: WebBrowser/Shell extension
    Category: General

    if there is allow create custom category then we can use maximum potential of Spyshelter Firewall


    yes that's good too for more control.i don't mind get more alert i just want more control.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    BTW, I wonder why the "Restricted App" feature didn't stop CTB Locker. Also, you probably already know this but old skool HIPS like Neoava Guard and Online Armor both had file monitoring features. NG alerted about rapid file modification/deletion and OA alerted about "enumerating of files". But I'm not sure if they would be capable of blocking ransomware.

    http://help.emsisoft.com/oa/Programs.shtml (scroll to Advanced Options)

    Thanks for testing, I don't use any virtual machines and didn't want to mess with my system, so that's why I didn't. It should really protect most of these keys, since they might be used by malware.
     
  16. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    No, I haven't tested specific leak-tests...perhaps I will in near future :)
    An what about "CopyCat"?
    "can infect a running instance of Internet Explorer in memory and use it to send data to Internet server."
    isn't?

    Really??...I think "restricted apps" are pointed to run apps...of course with lowered rights however "run" so specific process is allowed to make some changes. This feature should be used to restrict specified vulnerable but known process not for malware.
    For all unknown files downloaded/copied from external sources should...aven more - has...to be used feature "restricted files/folder".
     
    Last edited: Nov 4, 2016
  17. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
    Hi all

    When I install or updating the programs did not get no Firewall alert popup the SpyShelter Firewall is this normal so and what did you need you from me

    Any Infos and help for me

    With best Regards
    Mops21
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    I suggest you check out the RemoteDLL tool, I wonder if it also fails on your Win 64 bit system. And process hollowing is a specific code injection technique, I believe CopyCat uses another one. In general, HIPS should at least protect against these methods:

    http://www.testmypcsecurity.com/leaktest_techniques.html

    If the SS sandbox restricts apps from writing to most of the file-system, then it should be able to stop ransomware. So seems like a flaw to me, at least if member hjlbx tested it correctly. But normally he's right about stuff, so I don't doubt it.
     
  19. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
    Hi all

    Any Infos and help for me

    With best Regards
    Mops21
     
  20. Poppey

    Poppey Registered Member

    Joined:
    Nov 23, 2015
    Posts:
    36
    Location:
    Germany
    Hello, I think that is not normal. When I install a new software I get an pop up if I would allow the setup.exe. Are you enabled everything under "Einstellungen" - "Liste der überwachten Aktionen"? Is everything enabled under "Schutz"? Do you have enbled "Einstellungen" - "Fortgeschritten" - "Tooltips einschalten für automatisch erlaubte signierte Dateien"?
     
  21. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
    Hi

    Thank you very much for your Info. Can you make Screenshots from it please for me

    What must I send after the check to SpyShelter any Files when yes which and who can I find them

    With best Regards
    Mops21
     
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    i think you should get alert window at least on Ask user mode
    if you run installer then select install mode and then launch program from installer you should not get any alert
    also if you tick "remember my choice" and or "Create rules in Installer Mode" in setting tab
    rules will be created in installer mode when program run directly from installer
    also there is other option " Show 'Update rules' dialog" if you select Accept all old rules of the component
    then no more alert for same already created rule.
    but if you believe not your case and there is real problem with more detail step by step create tick at support of spyshelter
    https://www.spyshelter.com/helpdesk/


     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Probably I couldn't agree whit you and I think that the "test" made by hjlbx is useless...at all. "Restricted apps" is not isolated/virtualised enviroment and the reason of use it is not to test very dangerous malware but to launch vulnerable programs with lowered privleges.
    Additionaly we don't know:
    - the variant of CTBLocker
    - the settings of SS...it means - level of protection, list of objects in "Folders with write access" tab and probably some others that can affect on results (alerts, automatic allowing and blocking, user decisions)
    - it was SS Premium or Firewall.
    He wrote
    This is some understanding in my opinion
    - first - this is list of monitored actions or automaticly allowed (if we want so)...not blocked
    - second - restricted apps doesn't block automaticly all monitored action but only that are connected with those restrictions
    SS is not a anti-ransome application however some features are useful to protect against them.
     
  24. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
    Hi @Poppey and Hi @co22

    Thank you very much for your answers and for your help I have contacted them for my issue and I will get back then I have the Final Result of it

    With best Regards
    Mops21
     
  25. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    176
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.